Table of contents #
Introduction #
This is a list of custom filters, rules and settings I use for Fail2ban.
Settings #
Logrotate #
Install logrotate then run
# systemctl start logrotate.timer
# systemctl enable logrotate.timer
Add a new file:
/etc/logrotate.d/jenkins/var/log/jenkins/*.log { weekly copytruncate missingok rotate 10 compress delaycompress notifempty }
Fail2ban #
Global options #
/etc/fail2ban/jail.localignoreip = 127.0.0.1/8 ::1 # add your local network here to avoid being locked out mta = sendmail # you must have postfix working sender = # add the sender email destemail = # add the destination email maxretry = 3 bantime = 15d findtime = 3600s banaction = iptables-allports action = %(action_mwl)s/etc/fail2ban/action.d/abuseipdb.confactionban =Replace the default action with an empty one
Systemd service #
Follow the instructions reported here
# systemctl edit fai2ban# GFDL v1.3+ # ArchWiki contributors # https://wiki.archlinux.org/index.php/Fail2ban [Service] PrivateDevices=yes PrivateTmp=yes ProtectHome=read-only ProtectSystem=strict ## NoNewPrivileges=yes # I had problems sending emails with this option enabled. ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/log/fail2ban ReadWritePaths=-/var/spool/postfix/maildrop ReadWritePaths=-/run/xtables.lock CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW [Unit] OnFailure=notify-unit-status@%n.service # Optional. See https://frnmst.github.io/automated-tasks/scripts.html#notify-unit-status-py After=postfix.service Requires=postfix.service/etc/fail2ban/fail2ban.local# GFDL v1.3+ # ArchWiki contributors # https://wiki.archlinux.org/index.php/Fail2ban [Definition] logtarget = /var/log/fail2ban/fail2ban.log
Jenkins #
/etc/conf.d/jenkins# Enable access log. JENKINS_ACCESSLOG="--accessLoggerClassName=winstone.accesslog.SimpleAccessLogger --simpleAccessLogger.format=combined --simpleAccessLogger.file=/var/log/jenkins/access.log" # Keep the rest. # Add JENKINS_ACCESSLOG to the command line arguments. JENKINS_COMMAND_LINE="$JAVA $JAVA_ARGS $JAVA_OPTS -jar $JENKINS_WAR $JENKINS_WEBROOT $JENKINS_PORT $JENKINS_AJPPORT $JENKINS_OPTS $JENKINS_ACCESSLOG"See also https://wiki.jenkins.io/display/JENKINS/Access+Logging
Filters #
Gitea #
/etc/fail2ban/filter.d/gitea.conf
Gotify #
/etc/fail2ban/filter.d/gotify.conf[Definition] failregex = .*?\| 401 \|.*?\|.*?<HOST> \| POST.*?"/client" ignoreregex = Error #01: you need to provide a valid access token or user credentials to access this api.* datepattern = %%Y/%%m/%%d - %%H:%%M:%%S
Roundcube #
/etc/fail2ban/filter.d/roundcube-auth.conf
Jenkins #
/etc/fail2ban/filter.d/jenkins.conf[Definition] failregex = <HOST>.*?GET /loginError HTTP/1.1" 401.*? ignoreregex = datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
Jails #
Gitea #
/etc/fail2ban/jail.local[gitea] enabled = true port = http,https filter = gitea logpath = /var/log/gitea/gitea.log
Gotify #
/etc/fail2ban/jail.local[gotify] enabled = true port = http,https filter = gotify logpath = /var/log/gotify/server.log
Roundcube #
/etc/fail2ban/jail.local[roundcube] enabled = true port = http,https filter = roundcube-auth logpath = /var/log/roundcubemail/errors.log
Jenkins #
/etc/fail2ban/jail.local[jenkins] enabled = true port = http,https filter = jenkins logpath = /var/log/jenkins/access.log